CN101506816A - Apparatus and method supporting interoperability of an encrypting storage device with encryption-unaware application programs by means of a device driver communication to a key manager - Google Patents

Apparatus and method supporting interoperability of an encrypting storage device with encryption-unaware application programs by means of a device driver communication to a key manager Download PDF

Info

Publication number
CN101506816A
CN101506816A CNA2007800311051A CN200780031105A CN101506816A CN 101506816 A CN101506816 A CN 101506816A CN A2007800311051 A CNA2007800311051 A CN A2007800311051A CN 200780031105 A CN200780031105 A CN 200780031105A CN 101506816 A CN101506816 A CN 101506816A
Authority
CN
China
Prior art keywords
memory device
device driver
encrypt
order
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007800311051A
Other languages
Chinese (zh)
Other versions
CN101506816B (en
Inventor
P·M·格雷科
G·A·伽奎特
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of CN101506816A publication Critical patent/CN101506816A/en
Application granted granted Critical
Publication of CN101506816B publication Critical patent/CN101506816B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0646Horizontal data movement in storage systems, i.e. moving data in between storage devices or systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6281Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/80Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • G06F3/0623Securing storage systems in relation to content
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/0671In-line storage system
    • G06F3/0673Single storage device
    • G06F3/0682Tape device

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Human Computer Interaction (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

A tape system is provided with an encryption capable tape drive and an encryption enabled tape drive device driver for the encryption capable tape drive. The encryption enabled tape drive device driver functions as a proxy which connects the encryption capable tape drive to a key manager which serves keys to the tape drive. When the encryption capable device driver causes a command to be sent to the drive, the tape drive is configured to respond with a message that is intended for a key manager such as an External Key Manager (EKM). The encryption capable device driver recognizes that this is a message intended for the EKM and forwards that message to the EKM (e.g., via an Internet Protocol (IP) connection). The EKM then responds to the key request by issuing a new key (for a new cartridge which is to be written from beginning of tape (BOT)) or an existing key (for a cartridge which needs to be read). The device driver connects all EKM responses to the encryption capable tape drive and the EKM from which the encryption capable tape drive obtains its keys.

Description

Support the apparatus and method of the interoperability of the application program that encrypted memory device and encryption are unknown by device driver and communicating by letter of key management unit
Technical field
Put it briefly, the present invention relates to be with storage system, more specifically, relate to device driver as the agency between the band driving that can encrypt and key management unit.
Background technology
As everyone knows, use high density, removable medium thesaurus in the data-storage system that a large amount of storages are provided in the networked computer system.Usually, this data-storage system is used for reserve or other secondary storage purpose, but described data-storage system also can be used as the primary memory in being suitable for the environment of sequence data visit etc.Data usually are stored on the cartridge, for example tape or CD.Known cartridge can be stored mass data.Storage system can comprise a plurality of legacy storage devices (that is being not equipment with the work of more current data storage systems by particular design).
For the known ground of the driver that can encrypt, obtain key or band other places (for example by with the interface (for example RS-422 interface) in storehouse) and obtain key from using ground (for example via optical-fibre channel) in the band.These modes that obtain key are admitted application management key and library management key respectively.
Yet, drive relevant problem with the band that can encrypt and relate to when driving the data that provide from old-fashioned application (that is, also not being modified) so that the application of key to be provided to the band that can encrypt.The accessory problem relevant with the band driving that can encrypt relates to the band driving that when can encrypt and is arranged at the old-fashioned automatic tape pool (that is, also not being modified to obtain the tape pool of key pellucidly from the driver of using).In any or both of these situations, the band that can encrypt drives can not obtain encryption key.This problem also may be present in other environment.For example, if the band that can encrypt drives and to be in the bridge box or to be installed in (not being automatic therefore) on the frame, if or the band that can encrypt drive and be in (for example in the manufacturing plant warehouse except the manufacturing plant of band driving) in the rugged surroundings.Also possibility can not be brought out rugged surroundings and be driven so that key can be passed to the band that can encrypt.
Under each such situation, expectation provides a kind of ability, and driving to the band that can encrypt provides key, thereby can carry out encryption pellucidly by any application of carrying out in the data-storage system.
Summary of the invention
According to the present invention, a kind of band system is provided, it has the band that can encrypt and drives and be used for the device driver that the band that can encrypt that the described band that can encrypt drives drives.The device driver that the described band that can encrypt drives drives the agency who is connected with key management unit as the band that can encrypt, so that cryptographic operation, for example key management unit drives to band key is provided.Therefore, the device driver that the band that can encrypt drives is convenient to encrypt, and whether can not support or carry out encryption and rely on main frame.In one aspect of the invention, when the device driver that can encrypt when driver sends order (for example reading or writing order), band drives and is configured to by being exclusively used in the message response of key management unit (for example external key manager (EKM)).It is the message that is exclusively used in EKM 116 that the device driver that can encrypt identifies this, and (for example via Internet protocol (IP) connect) with this forwards to EKM.Then, EKM responds this key request by sending new key (being used for from taking up the new box that the beginning (BOT) writes) or existing key (be used for need read box).Device driver connects the EKM that band all EKM responses that drive and the band driving that can encrypt that can encrypt can therefrom obtain its key.
Like this, device driver is provided at the band that can encrypt and drives with the band driving that can encrypt and can therefrom obtain communication path between the EKM of its key.Obtain all keys in case band drives, the driver agency sends encryption function message to device driver then, and described device driver continues the processing host utility command then, and passes this information back to host application.Therefore, application data begins to flow at driver with between using.(under situation about writing, flow to band and drive, under situation about reading, flow out) from the band driving.For normal commands, device driver continues to serve as the communication path between application and the device driver.Device driver also detects the explosion command that is exclusively used in EKM, and this communication path is provided separately.Therefore, the band system has in-band communications path (that is the communication path between device driver and band driving) and out-of-band communication path (that is the communication path between device driver and EKM).
Therefore, in one embodiment, the present invention relates to a kind of storage system, comprising: main frame, be coupled to the memory device of main frame and the device driver of on main frame, carrying out.Described memory device and storage medium be alternately with canned data and from described storage medium information extraction, and comprise: encrypting module, and can be to the data encryption and the deciphering of storing on the storage medium.Device driver is checked the encryption related information from described memory device.Described encryption related information is in response to that the order of being sent by described main frame generates.When encryption related information existed, whether described device driver was convenient to encrypt, can not encrypt and rely on described main frame.
In another embodiment, the present invention relates to a kind of memory device, be used for storage medium alternately with canned data and from described storage medium information extraction.Described memory device comprises: encrypting module, be coupled to the controller of described encrypting module.Encrypting module can be to the data encryption and the deciphering of storing on the storage medium.Controller and described encrypting module are alternately with can be to described storage medium stores information with from described storage medium information extraction; Wherein said memory device slave unit driver receives information and sends information to device driver, and wherein said device driver inspection is from the encryption related information of described memory device.Described encryption related information is in response to the order of being sent by described main frame and generates by described memory device, when encryption related information exists.Whether described device driver is convenient to encrypt, can not encrypt and rely on described main frame.
In another embodiment, the present invention relates to a kind of on main frame, carry out and with the device driver of memory device communication.Described device driver comprises: part is initiated in order, is used to tackle the order of being sent to described memory device by described main frame; The command execution part is used for carrying out described order after cryptographic operation is complete; Encryption section is used to check the encryption related information from described memory device, and wherein said encryption related information is in response to that the order of being sent by described main frame generates by described memory device.When encryption related information existed, whether described device driver was convenient to encrypt, can not encrypt and rely on described main frame.
In another embodiment, the present invention relates to a kind of method of encrypting between the memory device that can encrypt and main frame of being convenient to.This method comprises: give an order to described memory device; In response to the encryption related information of described order interception by described memory device generation; Determining whether described encryption related information is illustrated in to carry out by the described memory device that can encrypt needs to carry out cryptographic operation before the described order; When described encryption related information is represented to need cryptographic operation, carry out cryptographic operation, whether can not encrypt and rely on described main frame; And after described cryptographic operation is complete, carry out described order.
In another embodiment, the present invention relates to a kind of storage system.Described storage system comprises: main frame, be coupled to described main frame memory device, be coupled to the module of described memory device and the device driver of on described main frame, carrying out.Described memory device and storage medium are alternately with canned data and from described storage medium information extraction.Device driver is checked the special status information from described memory device, and wherein said special status information is in response to that the order of being sent by described main frame generates.When described special status information existed, described device driver was convenient to encrypt, and do not rely on described main frame whether can with described module communication.
Preferably, provide key by pushing away (push) method to described memory device.More preferably, provide key by (pull) method of drawing to described memory device.More preferably, described memory device comprises that band drives.
Preferably, described module comprises: key management unit, described key management unit provides key via described device driver to described memory device.More preferably, described storage system also comprises: the agency, described agency is based upon the communication path between described memory device and the described key management unit, so that provide key to described memory device.
More preferably, send described order by the application of on described main frame, carrying out.More preferably, described application comprises to described memory device and the sbackup that transmits data from described memory device.
In the embodiment of following detailed description, above and other objects of the present invention, feature and advantage will become clear.
Description of drawings
In claims, set forth and of the present inventionly thought that the feature of novelty is arranged.Yet, when reading in conjunction with the accompanying drawings, the present invention itself and preferred implementation thereof, can understand better by following embodiment with reference to exemplary embodiment with other purpose of the present invention and advantage, wherein:
Fig. 1 illustrates the schematic block diagram of representative band storage system.
Fig. 2 illustrates the schematic block diagram with band driving and tape drum.
Fig. 3 is illustrated in the process flow diagram of the operation of band system when carrying out encrypted access.
Fig. 4 A-4D (being referred to as Fig. 4) illustrates the process flow diagram of operation of the band system of the execution encrypted access that is used for the key management unit pulling method.
Fig. 5 illustrates the schematic block diagram of the flow path of representative band storage system and key management unit pulling method.
Fig. 6 A-6B (being referred to as Fig. 6) illustrates the process flow diagram of operation of the band system of the execution encrypted access that is used for cipher key manager push method.
Fig. 7 illustrates the schematic block diagram of the flow path of representative band storage system and cipher key manager push method.
Embodiment
In the following description, quote the accompanying drawing that the several embodiment of the present invention are shown.Be appreciated that and can utilize other embodiment, and in the change that can carry out structure and operation without departing from the scope of the invention.
With reference to Fig. 1, be illustrated in the framework of the band storage system 100 that wherein realizes aspect of the present invention.Band storage system 100 comprises: main frame 110, band driving 112 and tape drum 114.Band storage system 100 also comprises external key manager (EKM) 116.
Main frame 110 comprises device driver 120 and acts on behalf of 122.Main frame also comprises uses 124.Band drives and comprises controller 130 and encrypting module 132.Tape drum 114 comprises non-volatile cassette memory 140 and high capacity magnetic tape 142.
Use 124 and can comprise sbackup, described sbackup drives 112 and drive 112 from band and transmit data to band, with sequentially to being with 142 to write data, or from being with 142 reading of data.Using 124 can use the order of SCSI band to pass on I/O request to band driving 112.Alternatively, use 124 and can use other data access command protocols.In order to extract data, application 124 can make is with 142 sequentially or with random fashion to read.
Cassette memory 140 preserve with tape 142 on the form information relevant of data with layout.Cassette memory 140 is also preserved and is used for the data encryption of storage on the tape 142 and the enciphered message of deciphering.
Band drives 112 and comprises and can and transmit the read/write head of data from tape 142 to tape 142.Tape-drive controller 130 receives I/O (I/O) request from host computer system 110, and can carry out the I/O request that is received in the following manner, promptly, use band driving mechanism and evaluation of algorithm file possible position on tape, to recoil the ad-hoc location of being with and will taking the lead to be positioned on the tape 142.Band drives 112 and can be included in the host computer system 110, or separate unit, or is included in the tape pool.Band drives 112 and can be connected with main frame via direct interface (for example SCSI, optical-fibre channel etc.), or connects by network (for example Local Area Network, storage area network (SAN), wide area network (WAN), internet, Intranet etc.).
Even main frame 110 or host application 124 can not be encrypted, drive when can encrypt at band, device driver 120 can make data encryption and deciphering on 100 pairs of tape drums 142 of band system.Therefore, device driver 120 is device drivers that the band that can encrypt drives.The device driver that the band that can encrypt drives provides agent functionality via agency 122, the band that described agency can encrypt drive 112 with provide the key management unit 116 of key to be connected to band driving 112.Therefore, device driver 120 be provided at the band that can encrypt drive 112 and EKM 116 between communication path, the band that can encrypt drives 112 can obtain keys from EKM 116.For common (that is, non-encrypted relevant) order, device driver 120 is as the communication path between application and device driver.Device driver 120 also can be used as the communication path that leads to band driving 112 under agency 122 control.Device driver 120 also detects the explosion command that is exclusively used in EKM, and this communication path is provided separately.Therefore, the device driver 120 that can encrypt makes band system 100 have in-band communications path (that is the communication path between device driver and band driving) and out-of-band communication path (that is the communication path between device driver and EKM).
Fig. 2 illustrates the schematic block diagram with band driving 112 and tape drum 114.Band drives 112 and comprises: interface 220, encrypting module 132 (for example can be special IC (ASIC)), read/write system 230 and read/write head 240.Band drives 112 and also comprises firmware 250, and described firmware 250 is coupled to controller 130 and encrypting module 132.
In the example shown, main frame 110 is for example ordered to being with the mode that drives 112 reception and registration I/O requests or any other data access command protocols known in the art to drive 112 transmission data to being with, to write continuously to tape drum 114 by use small computer system interface (SCSI) band.
Band drives 112 and uses interface 220 to communicate by letter with main frame 110.Read/write system 230 be used for reading information and mutual to the read/write head 240 that can write band medium 130 writing informations from writing band medium 130, and control described read/write head 240.Read/write system 230 moves with respect to tape-shaped medium's 130 by controlling read/write head 240 with speed mobile tape medium 130 on 240 of expectation, and stop, the moving direction of beginning and reverse tape.
Control system (or controller) 130 that band drives in 112 communicated by letter with interface 220, encrypting module 132 and read/write system 230.In order to extract the information that order and exchange are used to operate boxlike disposal system 114, controller 130 is gone back control interface 220 with by the communication of one or more port (not shown).Encrypting module 132 make safely enciphered datas and with data storage to tape drum 114, and data of extracting and deciphering storage on tape drum 114 safely.In operation, encrypting module 132 uses the data key (for example by using the Advanced Encryption Standard cryptographic algorithm) with any desired key length (for example 128 or 256 bit data key lengths) to carry out the real data encryption and decryption, and carry out other encoding function, for example data compression and decompression and data buffering.For the encryption and decryption data, encrypting module 132 also by combination, checking, distribute, storage and extract encryption and package data key (EEDK) and by with the EKM 116 that is associated to EEDK safely swap data key (SEDK) come the control data encrypt/decrypt.Encrypting module 132 can be by hardware and/or software the combination of any desired realize.For example, encrypting module 132 can be by realizing by 130 controls of firmware 250 and controller and with their mutual ASIC or FPGA circuit.
As mentioned above, band system 100 carries out multiple function, includes but not limited to, by use the data encryption of data key (for example AES encryption key) to storing on box 114; Use public key encryption technology the data key packet to be adorned, to form one or more ciphered data keys by different keys; Write and read ciphered data and ciphered data key (a plurality of) to tape drum medium 130 from tape drum medium 130; And the enciphered data of storage is decrypted by the ciphered data key being separated data key that packing obtains.Like this, band system 100 provides the distributed cipher key storer, and it allows the enciphered data of different user visit on a tape drum 114 by the public keys that uses each user to the mode that data key packet dress generates independent EEDK.
Fig. 3 is illustrated in the process flow diagram of the operation of band system 100 when carrying out encrypted access.More specifically, band system fill order is initiated operation 310, encryption key management operation 312 and command-execution operation 314 between band driving 110 and EKM 116.The order that provides to device driver device 120 is provided command initiation operation 310.Encryption key management operation 312 comprises: on (or expectation) tape drum 114 of in step 320, determining whether encryption is present in; In step 322, carry out encryption related; And, determine whether encryption related is finished in step 324.When encryption related is finished, carry out the order that generates in command initiation operation 310 by command-execution operation 314.
More specifically, during command initiation operation 310, attempt initiating when the visit band drives 112 visit when using 124.Use 124 via device driver 120 visit band drivings 112.The device driver 120 that can encrypt makes order (for example reading or writing order) be sent to band and drives 112.
During cryptographic operation 312, band drive 112 in step 314 by being exclusively used in the message response of key management unit (for example EKM 116).It is the message that is exclusively used in EKM 116 that the device driver 120 that can encrypt identifies this in step 320.During step 322, device driver 120 (for example via Internet protocol (IP) connect) with this forwards to EKM 116.Then, EKM 116 responds this key request by sending new key (being used for from taking up the new box that the beginning (BOT) writes) or existing key (be used for need read box).Device driver 120 during step 322, continue band drive 112 and EKM 116 between mutual, determine whether to connect that the band that can encrypt drives all EKM responses of 112 and the band that can encrypt drives the EKM 116 that can therefrom obtain its key in step 324.In case band drive to obtain all keys, to act on behalf of 116 then and send encryption function message to device driver 120 in step 314, described device driver 120 is carried out described order then.
Next, after the command-execution operation of step 314, device driver 120 is finished information with described order and is conveyed to host application 124.Then, application data begins to flow at driver with between using.(under situation about writing, flow to band and drive, under situation about reading, flow out) from the band driving.For common (that is, non-encrypted relevant) order, device driver 120 is as the communication path between application and the device driver.Device driver 120 also detects the explosion command that is exclusively used in EKM, and this communication path is provided separately.Therefore, the device driver 120 that can encrypt makes band system 100 have in-band communications path (that is the communication path between device driver and band driving) and out-of-band communication path (that is the communication path between device driver and EKM).
Referring now to Figure 4 and 5, Fig. 4 illustrates the process flow diagram of the operation of the band storage system that is used for the key management unit pulling method, and Fig. 5 illustrates the schematic block diagram of the flow path of representative band storage system and key management unit pulling method.For the corresponding relation of step that process flow diagram is shown better and the flow path of being with storage system, the numeral of representing in the circle on the process flow diagram of Fig. 4 is corresponding to the same numbers in the circle on the block diagram of Fig. 5.
When band order (CMD) is sent in step 410 application (for example using 124), this method begins.When application 124 was given an order, in fact this order was sent to the driver 120 that band drives.Next, give an order to the band driving at step 412 driver 120.When driving at step 414 band when receiving this order, drive this order of check at step 416 band, whether serve as to encrypt relevant and need communicate by letter with EKM 116 enciphered message of this order of execution (that is, whether be need) to determine this order.
If this order does not need the exchange relevant with the encryption of EKM 116, then drive 112 and carry out this order, and indicate (STS) to device driver 120 return states in step 422 at step 420 band.In step 424, this state indication of device driver 120 checks.If the indication of this state be not special-purpose (promptly, this order is not that encryption is correlated with and has finished), then this state is forwarded to application in step 426, carry out to guarantee this order in this state indication of the described application review of step 428 then, and return control to send another order (if expectation) to application then.
If this order need the exchange relevant with the encryption of EKM 116, then in step 430, band drives 112 the single user state indication is back to device driver 120.(for example, in certain embodiments, band drives 112 and returns the state indication that comprises hexadecimal value EF, any encryption indication that its expression manufacturer is unique).In step 424, the indication of device driver 120 check states.If this state indication is special-purpose (that is, this order is to encrypt to be correlated with), then keep these orders and be used for later processing at step 440 device driver 120, and Call Agent 122.In step 442, agency's 122 inquiry bands drive 122 with forwarding information.In step 444, driver 114 is set up the initial command that is used to encrypt then, and sends this order via driver 120 to agency 122.Then in step 446, agency 122 opens and being connected of EKM 116, and sends these orders to EKM 116.(in certain embodiments, being connected between driver 112 and the EKM 116 can be via the TCP/IP socket, described TCP/IP socket or existed or set up by agency 122.)
In step 450, EKM 116 resolves this order then.Next in step 452, EKM sends encrypted command to agency 122.In step 454, the agency gives an order to driver 112 then.Drive processes should the order, then in step 456 in response to the agency.In step 458, agency 122 transmits actuator response to EKM 116.EKM 116 analyzes these responses, to determine more to add close step whether necessary (that is, whether finishing cryptographic operation) in step 460.If other encrypting step is necessary, then EKM returns step 452, and sends another encrypted command to agency 122.If it is necessary not having other encrypting step, then in step 470, EKM 116 generates the indication of final flowsheet state, and transmits this state indication to the agency.In step 472, the agency detects this final flowsheet state indication, and determines whether to exist mistake in step 474.If there be wrong (going wrong during being illustrated in cryptographic operation), then transmit this state indication to host application step 410 agency.If there is no mistake is then acted on behalf of 122 and is extracted in the order that step 440 keeps, and sends this order in step 476 to driver 122.Then, receive this order, and continue to handle this order at step 414 driver.Because cryptographic operation is finished, should determine not need encryption related exchange so band drives 112, and should handle this order by step 420 in step 416.
Referring now to Fig. 6 and 7, Fig. 6 illustrates the process flow diagram of the operation of the band storage system that is used for cipher key manager push method, and Fig. 7 illustrates the schematic block diagram of the flow path of representative band storage system and cipher key manager push method.For the corresponding relation of step that process flow diagram is shown better and the flow path of being with storage system, the numeral of representing in the circle on the process flow diagram of Fig. 6 is corresponding to the same numbers in the circle on the block diagram of Fig. 7.
When band order (CMD) is sent in step 610 application (for example using 124), this method begins.When application 124 was given an order, in fact this order was sent to the driver 120 that band drives.Next, give an order to the band driving at step 612 driver 120.When driving at step 614 band when receiving this order, drive this order of check at step 616 band, whether serve as to encrypt relevant and need communicate by letter with EKM 116 enciphered message of this order of execution (that is, whether be need) to determine this order.
If this order does not need the exchange relevant with the encryption of EKM 116, then drive 112 and carry out this order, and indicate (STS) to device driver 120 return states in step 622 at step 620 band.In step 624, this state indication of device driver 120 checks.If the indication of this state be not special-purpose (promptly, this order is not that encryption is correlated with and has finished), then this state is forwarded to application in step 626, carry out to guarantee this order in this state indication of the described application review of step 628 then, and return control to send another order (if expectation) to application then.
If this order need the exchange relevant with the encryption of EKM 116, then in step 630, band drives 112 the single user state indication is back to device driver 120.(for example, in certain embodiments, band drives 112 and returns the state indication that comprises hexadecimal value EF, any encryption indication that its expression manufacturer is unique).In step 624, the indication of device driver 120 check states.If this state indication is special-purpose (that is, this order is to encrypt to be correlated with), then keep these orders and be used for later processing at step 640 device driver 120, and Call Agent 122.
In step 642, agency's 122 inquiry bands drive 122 with forwarding information.In step 644, driver 112 is set up and is used to encrypt necessary all orders then, and sends these orders via driver 120 to agency 122.
Then in step 646, agency 122 opens and being connected of EKM 116, and sends described order to EKM 116.(in certain embodiments, being connected between driver 112 and the EKM 116 can be via the TCP/IP socket, described TCP/IP socket or existed or set up by agency 122.)
In step 650, EKM 116 handles described encrypted command then.Next in step 670, EKM sends the flow state indication to agency 122.In step 672, the agency detects this flow state information, and determines whether to exist mistake in step 674.If there be wrong (going wrong during being illustrated in cryptographic operation), then transmit this state indication to host application step 626 agency.If there is no mistake is then acted on behalf of 122 and is extracted in the order that step 640 keeps, and sends this order in step 676 to driver 122.Then, receive this order, and continue to handle this order at step 614 driver.Because cryptographic operation is finished, should determine not need encryption related exchange so band drives 112, and should handle this order by step 620 in step 616.
Although specifically show and described the present invention, one with ordinary skill in the art would appreciate that and to carry out above-mentioned under the situation that does not break away from the spirit and scope of the present invention in form and details and other change with reference to the preferred embodiment of the present invention.
The present invention also is applicable to other advantage that reaches above-mentioned and wherein intrinsic.Although describe, describe and define the present invention by the reference specific embodiments of the invention, this quoting do not hint limitation of the present invention, and can not release this restriction.For the person of ordinary skill in the relevant, the present invention can carry out sizable change, variation and equivalence on form and function.The embodiment that describes and describe only is an example, is not four corner of the present invention.
For example, other memory device can use similar device driver mechanism.In addition, for example, can imagine other band driving framework.In addition, for example,, be appreciated that device driver and agency can be included in the module although device driver and agency are illustrated as separate modular.In addition, for example, be appreciated that the operation of other type that to act on behalf of the complementary module of other type via device driver.In addition, for example, the function of band driving 112 and tape drum 114 can realize in being referred to as the software of virtual tape library.Virtual tape library software can be communicated by letter with main frame 110, and the function of analog physical tape pool, comprises that the band medium that drives from band reads and to its function that writes.Virtual tape library software can reside on the independent computer system that is coupled with main frame 110.As another example, band driving 112 and tape drum 114 can be included in the tape pool.
In addition, for example, embodiment discussed above comprises the module of carrying out some task.Module discussed here can comprise script, batch processing or other executable file.Module can go up storage at machine readable or computer-readable recording medium (for example hard disk).The memory device that is used for memory module according to the embodiment of the invention can be tape, magnetic floppy disk, hard disk or CD (for example CD-ROM or CD-R).Also can comprise the storer of based semiconductor according to the memory device that is used for storing firmware or hardware module of the embodiment of the invention, it can for good and all, movably or remotely be coupled to microprocessor/memory system.Therefore, module can be stored in the computer system memory, comes the function of execution module with allocating computer system.Can use other novel and various types of computer-readable storage media to store module discussed here.In addition, those of ordinary skills can recognize that it is to be used for schematic purpose that function is assigned in the module.Optional embodiment can merge to the function of a plurality of modules in the module, maybe can apply alternate decomposition to functions of modules.For example, can decompose the module that is used to call submodule, thereby each submodule is carried out its function and is directly transmitted control to another submodule.
Therefore, the present invention is intended to only to be subjected to the restriction of the spirit and scope of claims, provides the understanding fully of equivalent in all respects.

Claims (23)

1. storage system comprises:
Main frame;
Memory device is coupled to described main frame, and with storage with from described storage medium information extraction, described memory device comprises alternately for described memory device and storage medium:
Encrypting module can be to the data encryption and the deciphering of storing on the storage medium; And
Device driver, be used to check encryption related information from described memory device, described encryption related information is in response to that the order of being sent by described main frame generates, when encryption related information exists, whether described device driver can be operated so that encrypt, can not encrypt and rely on described main frame.
2. storage system as claimed in claim 1 also comprises:
Key management unit is used for providing key via described device driver to described memory device.
3. storage system as claimed in claim 2 also comprises:
The agency is used to be based upon the communication path between described memory device and the described key management unit, so that provide key to described memory device.
4. storage system as claimed in claim 2, wherein:
Send described order by the application of on described main frame, carrying out, and described application comprises to described memory device and the sbackup that transmits data from described memory device.
5. storage system as claimed in claim 1, wherein:
Described encryption related information comprises the state indication of being sent by described memory device, and it needs to carry out cryptographic operation before being illustrated in and carrying out described order by described memory device.
6. memory device, be used for storage medium alternately with storage with from described storage medium information extraction, described memory device comprises:
Encrypting module can be to the data encryption and the deciphering of storing on the storage medium; And
Controller is coupled to described encrypting module, be used for described encrypting module alternately with can be to described storage medium stores information and from described storage medium information extraction; Wherein
Described memory device can be operated with the slave unit driver and receive information and send information to device driver, wherein said device driver can be operated to check the encryption related information from described memory device, described encryption related information is in response to that the order of being sent by described main frame generates by described memory device, when encryption related information exists, whether described device driver can be operated so that encrypt, can not encrypt and rely on described main frame.
7. memory device as claimed in claim 6, wherein:
Described device driver can be operated with mutual with key management unit, and wherein said key management unit can be operated to provide key via described device driver to described memory device.
8. memory device as claimed in claim 7, wherein:
Described device driver can be operated with mutual with the agency, and wherein said agency can operate to be based upon the communication path between described memory device and the described key management unit, so that provide key to described memory device.
9. memory device as claimed in claim 6, wherein:
Send described order by the application of on described main frame, carrying out, and described application comprises to described memory device and the sbackup that transmits data from described memory device.
10. memory device as claimed in claim 6, wherein:
Described encryption related information comprises the state indication of being sent by described memory device, and it needs to carry out cryptographic operation before being illustrated in and carrying out described order by described memory device.
11. one kind that on main frame, carry out and with the device driver of memory device communication, described device driver comprises:
Part is initiated in order, is used to tackle the order of being sent to described memory device by described main frame;
Encryption section, be used to check encryption related information from described memory device, described encryption related information is in response to that the order of being sent by described main frame generates by described memory device, when encryption related information exists, whether wherein said device driver can be operated so that encrypt, can not encrypt and rely on described main frame.
12. the device driver as claim 11 also comprises:
The command execution part is used for carrying out described order after cryptographic operation is complete.
13. as the device driver of claim 11, wherein:
Described device driver can be operated to communicate by letter with key management unit, and wherein said key management unit can be operated to provide key via described device driver to described memory device.
14. the device driver as claim 13 also comprises:
The agency is used to be based upon the communication path between described memory device and the described key management unit, so that provide key to described memory device.
15. as the device driver of claim 13, wherein:
Send described order by the application of on described main frame, carrying out, and described application comprises to described memory device and the sbackup that transmits data from described memory device.
16. as the device driver of claim 11, wherein:
Described encryption related information comprises the state indication of being sent by described memory device, and it needs to carry out cryptographic operation before being illustrated in and carrying out described order by described memory device.
17. between the memory device that can encrypt and main frame, be convenient to method of encrypting, comprise for one kind:
Give an order to described memory device;
In response to the encryption related information of described order interception by described memory device generation;
Determining whether described encryption related information is illustrated in to carry out by the described memory device that can encrypt needs to carry out cryptographic operation before the described order; And
When described encryption related information is represented to need cryptographic operation, carry out cryptographic operation, whether can not encrypt and rely on described main frame.
18., further comprising the steps of as the method for claim 17:
After described cryptographic operation is complete, carry out described order.
19. as the method for claim 17, wherein:
Carry out described interception step by the device driver that can encrypt; And
Described device driver is communicated by letter with key management unit, and described key management unit provides key via described device driver to the described memory device that can encrypt.
20. the method as claim 19 also comprises:
Be based upon communication path between the described memory device that can encrypt and the described key management unit via the agency, so that provide key to described memory device.
21. as the method for claim 19, wherein:
Send described order by the application of on described main frame, carrying out, and described application comprises to the described memory device that can encrypt and the sbackup that transmits data from the described memory device that can encrypt.
22. as the method for claim 17, wherein: described encryption related information comprises the state indication of being sent by the described memory device that can encrypt.
23. a computer program comprises: be applicable to when moving described program on computers enforcement of rights require in 17 to 22 any program code devices in steps.
CN2007800311051A 2006-09-07 2007-08-23 Apparatus and method supporting interoperability of an encrypting storage device with encryption-unaware application programs by means of a device driver communication to a key manager Expired - Fee Related CN101506816B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US11/470,731 2006-09-07
US11/470,731 US7882354B2 (en) 2006-09-07 2006-09-07 Use of device driver to function as a proxy between an encryption capable tape drive and a key manager
PCT/EP2007/058786 WO2008028824A1 (en) 2006-09-07 2007-08-23 Apparatus and method supporting interoperability of an encrypting storage device with encryption-unaware application programs by means of a device driver communication to a key manager

Publications (2)

Publication Number Publication Date
CN101506816A true CN101506816A (en) 2009-08-12
CN101506816B CN101506816B (en) 2011-11-09

Family

ID=38657422

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007800311051A Expired - Fee Related CN101506816B (en) 2006-09-07 2007-08-23 Apparatus and method supporting interoperability of an encrypting storage device with encryption-unaware application programs by means of a device driver communication to a key manager

Country Status (5)

Country Link
US (1) US7882354B2 (en)
EP (1) EP2059886A1 (en)
JP (1) JP5052612B2 (en)
CN (1) CN101506816B (en)
WO (1) WO2008028824A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10110572B2 (en) 2015-01-21 2018-10-23 Oracle International Corporation Tape drive encryption in the data path
WO2019141113A1 (en) * 2018-01-16 2019-07-25 深圳市道通科技股份有限公司 Data decryption method and apparatus, and electronic device

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI288352B (en) * 2005-11-17 2007-10-11 Benq Corp Processing methods and systems for drivers
DE102005061662A1 (en) * 2005-12-22 2007-06-28 Giesecke & Devrient Gmbh Auxiliary unit installing method for host-computer, involves installing setting process on computer to detect whether operation routine is transmitted, where process verifies whether information transmitted by unit is stored in computer
US20080155311A1 (en) * 2006-10-23 2008-06-26 International Business Machines Corporation Technique for determining the start position to write data on tape with resistance for media defect
US7853019B1 (en) 2006-11-30 2010-12-14 Netapp, Inc. Tape failover across a cluster
US7962638B2 (en) * 2007-03-26 2011-06-14 International Business Machines Corporation Data stream filters and plug-ins for storage managers
CN101046783A (en) * 2007-04-29 2007-10-03 华为技术有限公司 Peripheral device operation method, peripheral device and mainframe
US7869604B2 (en) * 2007-07-24 2011-01-11 International Business Machines Corporation System for an encryption key path diagnostic
US7869603B2 (en) * 2007-07-24 2011-01-11 International Business Machines Corporation Encryption key path diagnostic
US20090028339A1 (en) * 2007-07-24 2009-01-29 Brian Gerard Goodman Auto-Configuration of a Drive List for Encryption
US8682470B2 (en) 2008-01-08 2014-03-25 International Business Machines Corporation Data storage drive with target of opportunity recognition
US9495561B2 (en) 2008-01-08 2016-11-15 International Business Machines Corporation Target of opportunity recognition during an encryption related process
US8108065B2 (en) * 2008-01-08 2012-01-31 International Business Machines Corporation Target of opportunity in an automated data storage library
US9349410B2 (en) 2008-01-08 2016-05-24 International Business Machines Corporation Automated data storage library with target of opportunity recognition
US8423792B2 (en) * 2008-06-05 2013-04-16 International Business Machines Corporation Apparatus, system, and method for communication between a driver and an encryption source
US20100080393A1 (en) * 2008-10-01 2010-04-01 Feather Stanley S Cryptographic Key Management In Storage Libraries
US8756439B1 (en) * 2009-08-28 2014-06-17 Physical Optics Corporation Encryption key management for secured access

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5899987A (en) 1995-10-03 1999-05-04 Memco Software Ltd. Apparatus for and method of providing user exits on an operating system platform
US6134660A (en) * 1997-06-30 2000-10-17 Telcordia Technologies, Inc. Method for revoking computer backup files using cryptographic techniques
US6249866B1 (en) * 1997-09-16 2001-06-19 Microsoft Corporation Encrypting file system and method
US6532497B1 (en) 1998-04-14 2003-03-11 International Business Machines Corporation Separately powered network interface for reporting the activity states of a network connected client
JP2000040031A (en) * 1999-05-10 2000-02-08 Hitachi Ltd File enciphering method and information processing system
US7111005B1 (en) 2000-10-06 2006-09-19 Oracle International Corporation Method and apparatus for automatic database encryption
US20020188856A1 (en) * 2001-06-11 2002-12-12 Brian Worby Storage device with cryptographic capabilities
US6999835B2 (en) 2001-07-23 2006-02-14 Fuji Machine Mfg. Co., Ltd. Circuit-substrate working system and electronic-circuit fabricating process
US7865440B2 (en) 2001-10-11 2011-01-04 International Business Machines Corporation Method, system, and program for securely providing keys to encode and decode data in a storage cartridge
CA2358980A1 (en) 2001-10-12 2003-04-12 Karthika Technologies Inc. Distributed security architecture for storage area networks (san)
JP4128348B2 (en) * 2001-10-25 2008-07-30 富士通株式会社 Data management system
US20030196148A1 (en) 2002-04-12 2003-10-16 Carol Harrisville-Wolff System and method for peer-to-peer monitoring within a network
JP4265156B2 (en) * 2002-06-25 2009-05-20 三菱電機株式会社 Information leakage prevention device and information leakage prevention method
JP3819839B2 (en) 2002-12-09 2006-09-13 エヌ・ティ・ティ・コムウェア株式会社 Content processing method and system, computer program, and recording medium
JP2004199312A (en) * 2002-12-18 2004-07-15 Toyo Commun Equip Co Ltd File encryption method
US7143232B2 (en) 2003-02-25 2006-11-28 International Business Machines Corporation Method, system, and program for maintaining a directory for data written to a storage medium
US7110918B2 (en) 2003-11-05 2006-09-19 Shoplogix Inc. Self-contained system and method for remotely monitoring machines
KR100982513B1 (en) * 2003-11-12 2010-09-16 삼성전자주식회사 Method and Apparatus for restricting storage medium use using user key
US20060161715A1 (en) 2005-01-18 2006-07-20 Konica Minolta Systems Laboratory, Inc. Data bus line and bus
JP4658657B2 (en) 2005-03-28 2011-03-23 ヒューレット−パッカード デベロップメント カンパニー エル.ピー. Storage system, method for storing information in storage device and related method, and computer program product
US20070174362A1 (en) 2006-01-18 2007-07-26 Duc Pham System and methods for secure digital data archiving and access auditing

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10110572B2 (en) 2015-01-21 2018-10-23 Oracle International Corporation Tape drive encryption in the data path
WO2019141113A1 (en) * 2018-01-16 2019-07-25 深圳市道通科技股份有限公司 Data decryption method and apparatus, and electronic device

Also Published As

Publication number Publication date
EP2059886A1 (en) 2009-05-20
US7882354B2 (en) 2011-02-01
US20080065898A1 (en) 2008-03-13
WO2008028824A1 (en) 2008-03-13
JP5052612B2 (en) 2012-10-17
JP2010503092A (en) 2010-01-28
CN101506816B (en) 2011-11-09

Similar Documents

Publication Publication Date Title
CN101506816B (en) Apparatus and method supporting interoperability of an encrypting storage device with encryption-unaware application programs by means of a device driver communication to a key manager
CN101141462B (en) Method and system for rekeying encryption of removable storage media
CN101141463A (en) Storing encrypted data keys to a tape to allow a transport mechanism
JP5244106B2 (en) Method for configuring a storage drive to communicate with an encryption manager and a key manager
CN101140778B (en) Method and system for recovering remnant encrypted data on a removable storage media
CN101140603B (en) Method for altering the access characteristics of encrypted data
CN101246456B (en) Data encryption apparatus, data decryption apparatus, data encryption method
CN100561417C (en) With main frame with have the system and method that the storing driver of storage medium communicates
US7882291B2 (en) Apparatus and method for operating plural applications between portable storage device and digital device
CN101246415B (en) Data encryption apparatus and method, data decryption apparatus
US8843768B2 (en) Security-enabled storage controller
CN101141247A (en) Method and system for secure transmission of cryptographic key
US20040117639A1 (en) Secure driver
WO2018051817A1 (en) Adapter device and processing method
CN115544547A (en) Mobile hard disk encryption method and device, electronic equipment and storage medium
CN116070295B (en) Data processing system
CN101640595A (en) Method, device and system for controlling switching of isolation card
CN101281499A (en) Mobile hard disc enciphering system of FPGA control MEMS strong chain

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20111109

Termination date: 20200823